Print | Rate this content

Bulletin: HPE ProLiant for Microsoft Azure Stack - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00042741en_us

Version: 1

Bulletin: HPE ProLiant for Microsoft Azure Stack - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-03-05

Last Updated: 2018-03-01


DESCRIPTION

On January 3, 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed (also referred to as Meltdown and Spectre). These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities calls both for a Microsoft Azure Stack update provided by Microsoft and a HPE ProLiant for Microsoft Azure Stack update from HPE.

Intel has provided a high level statement here: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Non-HPE site

For additional information: https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr Non-HPE site

Microsoft Response: https://support.microsoft.com/en-us/help/4073418/azure-stack-guidance-protect-against-speculative-execution-side-channe Non-HPE site

Hewlett Packard Enterprise Product Security Vulnerability Alerts: https://www.hpe.com/us/en/services/security-vulnerability.html

NOTE: This site also provides a list of impacted Hewlett Packard Enterprise products with resolution status and links to product-specific communications, where available.

SCOPE

Any HPE ProLiant for Microsoft Azure Stack.

RESOLUTION

The updates described below resolve the Spectre Variant 1 (CVE-2017-5753) and Meltdown (CVE-2017-5754) vulnerabilities for the Hardware Lifecycle Host (HLH).

Resolution of the Spectre Variant 2 (CVE-2017-5715) vulnerability requires a BIOS update, which is based on pending updates from Intel. The BIOS update will be released at a future date. This communication will be updated as information becomes available.

Take the following steps to resolve the Spectre Variant 1 and Meltdown security vulnerabilities listed above:

  1. Apply the Microsoft Azure Stack 1712 update. See the Azure Stack 1712 Release Notes for installation instructions and additional information:

    https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-update-1712 Non-HPE site

  2. Download and extract update 1801 for the HPE ProLiant for Microsoft Azure Stack from Hewlett Packard Enterprise:

    http://www.hpe.com/info/MASupdates

  3. Read the full set of instructions for installing update 1801 before proceeding with the update.
  4. Apply update 1801 for the HPE ProLiant for Microsoft Azure Stack. The update takes approximately 30 to 60 minutes to complete.

NOTE: Customers who prefer to have Hewlett Packard Enterprise perform these updates can contact their HPE Account team to arrange an onsite solution update service through HPE Pointnext. https://www.hpe.com/h20195/v2/Getdocument.aspx?docname=a00025742enw

Variations of these vulnerabilities may also affect virtual machines (VMs) running in the tenant space. Customers should continue to follow security best practices for their VM images and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 Non-HPE site

Communications for similar products:

HPE SimpliVity 380, SimpliVity OmniCube, SimpliVity OmniStack For Cisco, Dell Or Lenovo: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039632en_us

HPE Hyper Converged 250 System for VMware vSphere, HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard, and HPE Hyper Converged 380: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00041797en_us

Note: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.


RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document .


Hardware Platforms Affected: HPE ProLiant for Microsoft Azure Stack
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK3080
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: HPE ProLiant for Microsoft Azure Stack - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Document ID: emr_na-a00042741en_us-1
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.